TWI841070B

TWI841070B - Attack prevention method and access point using the same

Info

Publication number: TWI841070B
Application number: TW111144557A
Authority: TW
Inventors: 郭明旺; 桑特瓦納帕尼格拉希
Original assignee: 聯發科技股份有限公司
Priority date: 2021-12-02
Filing date: 2022-11-22
Publication date: 2024-05-01

Abstract

An attack prevention method includes: receiving an authentication request frame; and in response to receiving the authentication request frame, replying with an authentication response frame that is sent to a non-AP STA, wherein the authentication response frame includes a timeout interval element that carries Authentication Comeback time. Another attack prevention method includes: ignoring each specific request frame that is received within a period in which a connected non-AP STA operates under a power saving mode, wherein each specific request frame includes one of an authentication request frame, an association request frame, and a reassociation request frame.

Description

防止攻擊方法和使用該方法的接入點 Prevent attack methods and access points using them

本發明涉及無線通訊，更具體地，涉及一種用於處理認證泛洪攻擊、關聯泛洪攻擊和/或重新關聯泛洪攻擊的防止攻擊方法以及使用該防止攻擊方法的接入點。 The present invention relates to wireless communications, and more specifically, to an attack prevention method for processing authentication flood attacks, association flood attacks and/or reassociation flood attacks, and an access point using the attack prevention method.

802.11幀的三種類型包括管理幀、控制幀和資料幀。無線用戶端使用管理幀(例如認證(authentication)幀、取消認證幀、關聯請求幀、重新關聯請求幀來查找並連接到正確的Wi-Fi網路，並在成功關聯後管理用戶端連接。如果沒有受保護管理幀(Protected Management Frame，PMF)功能，所有管理幀都會在開放區域中被不受保護的發送。發送不受保護的幀會使連接容易受到攻擊。PMF是提供完整性(integrity)保護的功能，用於單播和廣播管理幀，並且還以與資料相同的方式對單播管理幀進行加密以提供機密性(confidentiality)。但是，PMF標準對於如何防止認證請求泛洪攻擊沒有明確的定義。因此，接入點(access point，AP)可能會頻繁地向非AP站點(station，STA)發送安全關聯(Security Association，SA)查詢請求以檢查非AP STA是否處於活動狀態。此外，AP和連接的非AP STA之間可能存在互通性測試(interoperability test,IOT)問題，以使得無法有效的防止認證泛洪攻擊。 The three types of 802.11 frames include management frames, control frames, and data frames. Wireless clients use management frames (e.g., authentication frames, deauthentication frames, association request frames, reassociation request frames) to find and connect to the correct Wi-Fi network and manage client connections after successful association. Without the Protected Management Frame (PMF) feature, all management frames are sent unprotected in open areas. Sending unprotected frames makes the connection vulnerable to attacks. PMF is a feature that provides integrity protection for unicast and broadcast management frames, and also encrypts unicast management frames in the same way as data to provide confidentiality. However, the PMF standard does not clearly define how to prevent authentication request flooding attacks. Therefore, access points (APs) must ensure that the PMF standard is protected from authentication request flooding attacks. A wireless access point (AP) may frequently send security association (SA) query requests to a non-AP station (STA) to check whether the non-AP STA is active. In addition, there may be interoperability test (IOT) issues between the AP and the connected non-AP STA, making it impossible to effectively prevent authentication flood attacks.

此外，在AP與非AP STA之間的連接被建立成功後，非AP STA可以進入省電模式。處於省電模式的非AP STA不會向AP發送認證請求幀、關聯請求幀和/或重新關聯請求幀。然而，PMF標準並沒有明確定義在非AP STA操作在省電模式下時AP如何處理認證請求幀、關聯請求幀和/或重新關聯請求幀。 In addition, after the connection between the AP and the non-AP STA is successfully established, the non-AP STA can enter the power saving mode. The non-AP STA in the power saving mode will not send authentication request frames, association request frames and/or reassociation request frames to the AP. However, the PMF standard does not clearly define how the AP handles authentication request frames, association request frames and/or reassociation request frames when the non-AP STA operates in the power saving mode.

本發明的目的之一在於提供一種防止攻擊方法，用於處理認證泛洪攻擊、關聯泛洪攻擊和/或重新關聯泛洪攻擊的防止攻擊方法，以及使用該防止攻擊方法的接入點。 One of the purposes of the present invention is to provide an attack prevention method for processing authentication flood attacks, association flood attacks and/or reassociation flood attacks, and an access point using the attack prevention method.

根據本發明的第一方面，公開了一種示例性防止攻擊方法。示例性的防止攻擊方法包括：接收認證請求幀；以及回應接收到認證請求幀，回復認證回應幀，該認證回應幀被發送給非接入點(non-AP)站點(STA)，其中認證回應幀包括攜帶認證恢復(Comeback)時間的超時間隔(timeout interval)元素。 According to the first aspect of the present invention, an exemplary method for preventing attacks is disclosed. The exemplary method for preventing attacks includes: receiving an authentication request frame; and in response to receiving the authentication request frame, replying an authentication response frame, the authentication response frame being sent to a non-access point (non-AP) station (STA), wherein the authentication response frame includes a timeout interval element carrying an authentication comeback time.

根據本發明的第二方面，公開了一種示例性防止攻擊方法。該示例性防止攻擊方法包括：忽略在連接的非接入點(non-AP)站點(STA)操作在省電模式下的時段內接收到的每個特定請求幀，其中每個特定請求幀包括認證請求幀、關聯請求幀和重新關聯請求幀中的一個。 According to a second aspect of the present invention, an exemplary method for preventing attacks is disclosed. The exemplary method for preventing attacks includes: ignoring each specific request frame received during a period when a connected non-access point (non-AP) station (STA) operates in a power saving mode, wherein each specific request frame includes one of an authentication request frame, an association request frame, and a reassociation request frame.

根據本發明的第三方面，公開了一種能夠防止攻擊的示例性接入點(AP)。能夠防止攻擊的示例性AP包括網路介面電路和控制電路。網路介面電路用於接收認證請求幀。控制電路用於回應認證請求幀生成認證回應幀，並指示網路介面電路向非接入點(non-AP)站點(STA)發送認證回應幀，其中認證回應幀包括超時間隔元素，該超時間隔元素攜帶認證恢復時間。 According to a third aspect of the present invention, an exemplary access point (AP) capable of preventing attacks is disclosed. The exemplary AP capable of preventing attacks includes a network interface circuit and a control circuit. The network interface circuit is used to receive an authentication request frame. The control circuit is used to generate an authentication response frame in response to the authentication request frame, and instruct the network interface circuit to send an authentication response frame to a non-access point (non-AP) station (STA), wherein the authentication response frame includes a timeout element, and the timeout element carries an authentication recovery time.

根據本發明的第四方面，公開了一種能夠防止攻擊的示例性接入點(AP)。能夠防止攻擊的示例性AP包括網路介面電路和控制電路。控制電路被配置為忽略在連接的非接入點(non-AP)站點(STA)操作在省電模式下的時段內網路介面電路接收到的每個特定請求幀，其中每個特定請求幀包括認證請求幀、關聯請求幀和重新關聯請求幀中的一個。 According to a fourth aspect of the present invention, an exemplary access point (AP) capable of preventing attacks is disclosed. The exemplary AP capable of preventing attacks includes a network interface circuit and a control circuit. The control circuit is configured to ignore each specific request frame received by the network interface circuit during a period when a connected non-access point (non-AP) station (STA) operates in a power saving mode, wherein each specific request frame includes one of an authentication request frame, an association request frame, and a reassociation request frame.

在閱讀了在各種附圖和附圖中示出的優選實施例的以下詳細描述之後，本發明的這些和其他目的對於所屬領域普通技術人員無疑將變得顯而易見。 These and other objects of the present invention will no doubt become apparent to those of ordinary skill in the art after reading the following detailed description of the preferred embodiments illustrated in the various drawings and accompanying figures.

100:無線通訊系統 100: Wireless communication system

102:無線通訊設備，AP 102: Wireless communication equipment, AP

104:無線通訊設備，非AP STA 104: Wireless communication equipment, non-AP STA

114:記憶體 114: Memory

112:處理器 112: Processor

116:控制電路 116: Control circuit

118:網路介面電路 118: Network interface circuit

120:TX電路 120:TX circuit

122:RX電路 122: RX circuit

第1圖是示出根據本發明實施例的無線通訊系統的示意圖。 FIG. 1 is a schematic diagram showing a wireless communication system according to an embodiment of the present invention.

第2圖是示出根據本發明實施例的AP採用的第一種防止攻擊方案的過程交互的時序圖。 Figure 2 is a timing diagram showing the process interaction of the first attack prevention scheme adopted by the AP according to an embodiment of the present invention.

第3圖是示出根據本發明實施例的AP採用的第二防止攻擊方案的過程交互的時序圖。 Figure 3 is a timing diagram showing the process interaction of the second attack prevention scheme adopted by the AP according to an embodiment of the present invention.

在以下描述和請求項中使用了某些術語，它們指代特定的組件。如所屬領域技術人員將理解的，電子設備製造商可以用不同的名稱來指代一個組件。本申請無意區分名稱不同但功能相同的組件。在以下描述和請求項中，術語“包括”和“包含”以開放式方式使用，因此應解釋為“包括但不限於……”。此外，術語“耦接”旨在表示間接電連接或直接電連接。因此，如果一個設備耦接到另一個設備，則該耦接可以是直接電連接，或通過經由其他設備和連接的間接電連接。 Certain terms are used in the following description and claims that refer to specific components. As will be understood by those skilled in the art, electronic device manufacturers may refer to a component by different names. This application does not intend to distinguish between components that have different names but the same function. In the following description and claims, the terms "including" and "comprising" are used in an open-ended manner and should be interpreted as "including but not limited to...". In addition, the term "coupled" is intended to mean either an indirect electrical connection or a direct electrical connection. Thus, if one device is coupled to another device, the coupling may be a direct electrical connection, or by an indirect electrical connection via other devices and connections.

第1圖是示出根據本發明實施例的無線通訊系統的示意圖。無線通訊系統100包括多個無線通訊設備102和104。例如，無線通訊系統100是無線保真(wireless fidelity，Wi-Fi)系統，包括接入點(access point，AP)和非AP STA。在本發明的一個實施例中，無線通訊設備102為AP，而無線通訊設備104為非AP STA。AP可以採用所提出的防止攻擊方案。為簡潔起見，第1圖中僅示出了兩個無線通訊設備102和104。在實踐中，無線通訊系統100被允許具有兩個以上的無線通訊設備，包括在同一基本服務集(basic service set，BSS)中的AP和一個以上的非AP STA。 FIG. 1 is a schematic diagram showing a wireless communication system according to an embodiment of the present invention. The wireless communication system 100 includes a plurality of wireless communication devices 102 and 104. For example, the wireless communication system 100 is a wireless fidelity (Wi-Fi) system, including an access point (AP) and a non-AP STA. In one embodiment of the present invention, the wireless communication device 102 is an AP, and the wireless communication device 104 is a non-AP STA. The AP can adopt the proposed attack prevention scheme. For simplicity, only two wireless communication devices 102 and 104 are shown in FIG. 1. In practice, the wireless communication system 100 is allowed to have more than two wireless communication devices, including an AP and more than one non-AP STA in the same basic service set (BSS).

無線通訊設備102包括處理器112、記憶體114、控制電路116和網路介面電路118，其中網路介面電路118包括發送器(TX)電路120和接收器(RX)電路122。記憶體114被佈置為存儲程式碼。處理器112用於載入和執行程式碼以管理無線通訊設備102。控制電路116用於控制與無線通訊設備104的無線通訊。由於無線通訊設備102是AP並且無線通訊設備104是非AP STA，控制電路116控制網路介面電路118的TX電路120處理AP和非AP STA之間的下行鏈路(downlink，DL)流量，並控制網路介面電路118的RX電路122處理AP和非AP STA之間的上行鏈路(uplink，UL)流量。 The wireless communication device 102 includes a processor 112, a memory 114, a control circuit 116, and a network interface circuit 118, wherein the network interface circuit 118 includes a transmitter (TX) circuit 120 and a receiver (RX) circuit 122. The memory 114 is arranged to store program code. The processor 112 is used to load and execute program code to manage the wireless communication device 102. The control circuit 116 is used to control wireless communication with the wireless communication device 104. Since the wireless communication device 102 is an AP and the wireless communication device 104 is a non-AP STA, the control circuit 116 controls the TX circuit 120 of the network interface circuit 118 to process the downlink (DL) traffic between the AP and the non-AP STA, and controls the RX circuit 122 of the network interface circuit 118 to process the uplink (UL) traffic between the AP and the non-AP STA.

應當注意，第1圖中僅示出了與本發明相關的組件。在實踐中，無線通訊設備102可以包括附加組件以實現指定功能。 It should be noted that FIG. 1 only shows components related to the present invention. In practice, the wireless communication device 102 may include additional components to implement specified functions.

在本實施例中，無線通訊設備102為AP，該AP可以支援第一防止攻擊特性和/或第二防止攻擊特性，該第一防止攻擊特性用於處理在認證恢復時間(Authentication Comeback time)指定的超時時段內的認證泛洪攻擊，第二防止攻擊特性用於處理在無線通訊設備104(其為非AP STA)在省電模式下操作的時段內的認證泛洪攻擊、關聯泛洪攻擊、和/或重新關聯泛洪攻擊。參考附圖描述了所提出的第一和第二防止攻擊方案的進一步細節。 In this embodiment, the wireless communication device 102 is an AP, which can support a first attack prevention feature and/or a second attack prevention feature, wherein the first attack prevention feature is used to handle authentication flood attacks within a timeout period specified by the authentication comeback time, and the second attack prevention feature is used to handle authentication flood attacks, association flood attacks, and/or reassociation flood attacks during a period when the wireless communication device 104 (which is a non-AP STA) operates in a power saving mode. Further details of the proposed first and second attack prevention schemes are described with reference to the accompanying drawings.

請結合第2圖參考第1圖。第2圖是示出根據本發明實施例的AP採用的第一種防止攻擊方案的過程交互的時序圖。在第1圖所示的無線通訊系統(例如，Wi-Fi系統)100中，無線通訊設備102為AP，無線通訊設備104為非AP STA。在下文中，術語“無線通訊設備102”和“AP 102”可以互換，並且術語“無線通訊設備104”和“非AP STA 104”可以互換。在AP 102和非AP STA 104之間發起連接協商過程。例如，連接協商過程可以包括認證流程、關聯流程和可擴展的局域網認證協定(extensible authentication protocol over local area network，EAPOL)流程。在非AP STA 104成功連接到AP 102之後，AP 102的網路介面電路118(具體地，網路介面電路118的RX電路122)接收認證請求幀。在這個例子中，認證請求幀是從攻擊者而不是連接的非AP STA 104發送的。AP 102的控制電路116用於回應於認證請求幀生成認證回應幀，並指示網路介面電路118(特別是網路介面電路118的TX電路120)將認證回應幀發送到非AP STA 104。在本實施例中，認證回應幀的幀體(body)可以包括原因代碼(Reason Code)欄位和超時間隔元素(Timeout Interval element，TIE)，其中原因代碼欄位用於指示產生認證回應幀的原因，TIE用於攜帶指定超時時段(timeout period)的認證恢復時間(Authentication Comeback time)。認證回應幀中攜帶認證恢復時間用於通知非AP STA 104在該認證恢復時間內不要發送認證請求，在認證恢復時間之後再發送認證請求。其中，超時時段可以是認證恢復時間的時長，例如第2圖所示。認證恢復時間可以從接收到攻擊者的認證請求幀開始，但本發明不限於此。 Please refer to FIG. 1 in conjunction with FIG. 2. FIG. 2 is a timing diagram showing the process interaction of the first attack prevention scheme adopted by the AP according to an embodiment of the present invention. In the wireless communication system (e.g., Wi-Fi system) 100 shown in FIG. 1, the wireless communication device 102 is an AP, and the wireless communication device 104 is a non-AP STA. In the following, the terms "wireless communication device 102" and "AP 102" can be interchanged, and the terms "wireless communication device 104" and "non-AP STA 104" can be interchanged. A connection negotiation process is initiated between the AP 102 and the non-AP STA 104. For example, the connection negotiation process may include an authentication process, an association process, and an extensible authentication protocol over local area network (EAPOL) process. After the non-AP STA 104 successfully connects to the AP 102, the network interface circuit 118 of the AP 102 (specifically, the RX circuit 122 of the network interface circuit 118) receives the authentication request frame. In this example, the authentication request frame is sent from the attacker rather than the connected non-AP STA 104. The control circuit 116 of the AP 102 is used to generate an authentication response frame in response to the authentication request frame and instruct the network interface circuit 118 (specifically, the TX circuit 120 of the network interface circuit 118) to send the authentication response frame to the non-AP STA 104. In this embodiment, the body of the authentication response frame may include a Reason Code field and a Timeout Interval element (TIE), wherein the Reason Code field is used to indicate the reason for generating the authentication response frame, and the TIE is used to carry the Authentication Comeback time of the specified timeout period. The Authentication Comeback time carried in the Authentication Response frame is used to notify the non-AP STA 104 not to send an authentication request within the Authentication Comeback time, and to send an authentication request after the Authentication Comeback time. The timeout period may be the length of the Authentication Comeback time, as shown in FIG. 2, for example. The Authentication Comeback time may start from receiving the attacker's Authentication Request frame, but the present invention is not limited thereto.

AP 102的控制電路116還用於忽略在由認證恢復時間(其被回應於來自攻擊者的認證請求幀而發送的認證回應幀攜帶)指定的超時時段中網路介面電路118(特別的，網路介面電路118的RX電路122)接收的每個認證請求幀。例如，在超時時段到期之前，控制電路116直接丟棄接收到的任何認證請求幀，而不處理接收到的認證請求幀的有效載荷(payload)。這樣可以節省AP資源。又例如，在超時時段到期之前，控制電路116不生成認證回應幀來回應接收到的任何認證請求幀。這樣可以避免不必要的認證回應幀佔用無線介質資源。如第2圖所示，所提出的第一防止攻擊方案保護AP 102在由認證恢復時間指定的超時時段內免受來自攻擊者的認證泛洪攻擊。 The control circuit 116 of the AP 102 is also used to ignore each authentication request frame received by the network interface circuit 118 (particularly, the RX circuit 122 of the network interface circuit 118) within a timeout period specified by the authentication recovery time (which is carried by the authentication response frame sent in response to the authentication request frame from the attacker). For example, before the timeout period expires, the control circuit 116 directly discards any authentication request frame received without processing the payload of the received authentication request frame. This can save AP resources. For another example, before the timeout period expires, the control circuit 116 does not generate an authentication response frame to respond to any authentication request frame received. This can avoid unnecessary authentication response frames from occupying wireless medium resources. As shown in FIG. 2, the proposed first attack prevention scheme protects AP 102 from authentication flooding attacks from an attacker within a timeout period specified by the authentication recovery time.

此外，AP 102的控制電路116還被配置為生成安全關聯 (SecurityAssociation，SA)查詢請求幀並指示網路介面電路118(具體地，網路介面電路118的TX電路120)在由認證恢復時間指定的超時時段內向非AP STA 104發送SA查詢請求幀。支持SA查詢過程並接收SA查詢請求幀的非AP STA 104應以SA查詢回應幀進行響應，除非非AP STA 104不是處於活動狀態(即，當前未與發送SA查詢請求幀的AP102關聯)。在網路介面電路118(具體地，網路介面電路118的RX電路122)在由認證恢復時間指定的超時時段內接收到來自非AP STA 104的具有正確事務識別碼(identifier，ID)的SA查詢回應幀的情況下，控制電路116與非AP STA 104保持連接。在另一種情況下，在網路介面電路118(具體地，網路介面電路118的RX電路122)在由認證恢復時間指定的超時時段內沒有接收到來自非AP STA 104的具有正確事務ID的SA查詢回應幀的情況下，控制電路116生成用於終止Wi-Fi連接的解除認證(deauthentication)幀，並指示網路介面電路118(具體地，網路介面電路118的TX電路120)向非AP STA 104發送解除認證幀。其中，SA查詢請求幀中包括事務ID，如果SA查詢回應幀中的事務ID與SA查詢請求幀中的事務ID相同，則表示SA查詢回應幀具有正確的事務ID。 In addition, the control circuit 116 of the AP 102 is also configured to generate a security association (SA) query request frame and instruct the network interface circuit 118 (specifically, the TX circuit 120 of the network interface circuit 118) to send the SA query request frame to the non-AP STA 104 within the timeout period specified by the authentication recovery time. The non-AP STA 104 that supports the SA query process and receives the SA query request frame should respond with a SA query response frame unless the non-AP STA 104 is not in an active state (i.e., not currently associated with the AP 102 that sent the SA query request frame). When the network interface circuit 118 (specifically, the RX circuit 122 of the network interface circuit 118) receives an SA query response frame with a correct transaction identifier (ID) from the non-AP STA 104 within a timeout period specified by the authentication recovery time, the control circuit 116 maintains the connection with the non-AP STA 104. In another case, when the network interface circuit 118 (specifically, the RX circuit 122 of the network interface circuit 118) does not receive an SA query response frame with a correct transaction ID from the non-AP STA 104 within the timeout period specified by the authentication recovery time, the control circuit 116 generates a deauthentication frame for terminating the Wi-Fi connection and instructs the network interface circuit 118 (specifically, the TX circuit 120 of the network interface circuit 118) to send a deauthentication frame to the non-AP STA 104. The SA query request frame includes a transaction ID, and if the transaction ID in the SA query response frame is the same as the transaction ID in the SA query request frame, it means that the SA query response frame has a correct transaction ID.

如第2圖所示，第一防止攻擊方案具有處理認證泛洪攻擊的明確(explicit)流程，並且可以防止AP和連接的非AP STA之間的IOT問題。 As shown in Figure 2, the first attack prevention scheme has an explicit process for handling authentication flood attacks and can prevent IOT issues between APs and connected non-AP STAs.

請結合第3圖參考第1圖，第3圖是示出根據本發明實施例的AP採用的第二防止攻擊方案的過程交互的時序圖。在第1圖所示的無線通訊系統(例如，Wi-Fi系統)100中，如第1圖所示，無線通訊設備102為AP，無線通訊設備104為非AP STA。在下文中，術語“無線通訊設備102”和“AP 102”可以互換，並且術語“無線通訊設備104”和“非AP 104”可以互換。在AP 102和非AP STA 104之間發起連接協商過程。例如，連接協商過程可以包括認證流程、關聯流程和EAPOL流程。在非AP STA 104成功連接到AP 102之後，在非AP STA 104沒有資料要發送的情況下，非AP STA 104可以進入省電模式(PS=1)。例如，非AP STA 104 可以向AP 102發送幀以指示非AP STA 104操作在省電模式。AP 102的控制電路116被配置為忽略在連接的非AP STA 104操作在省電模式下的時段內由網路介面電路118(具體的，網路介面電路118的RX電路122)接收的每個特定請求幀(例如，認證請求幀、關聯請求幀或重新關聯請求幀)。由於非AP STA 104進入省電模式，所以非AP STA 104將不會向AP 102發送認證請求幀、關聯請求幀和重新關聯請求幀中的任何幀。因此，在連接的非AP STA 104操作在省電模式下的時段內AP 102接收到認證請求幀、關聯請求幀和/或重新關聯請求幀被視為來自攻擊者的泛洪攻擊。 Please refer to FIG. 1 in conjunction with FIG. 3, which is a timing diagram showing the process interaction of the second attack prevention scheme adopted by the AP according to an embodiment of the present invention. In the wireless communication system (e.g., Wi-Fi system) 100 shown in FIG. 1, as shown in FIG. 1, the wireless communication device 102 is an AP, and the wireless communication device 104 is a non-AP STA. In the following, the terms "wireless communication device 102" and "AP 102" can be interchangeable, and the terms "wireless communication device 104" and "non-AP 104" can be interchangeable. A connection negotiation process is initiated between the AP 102 and the non-AP STA 104. For example, the connection negotiation process may include an authentication process, an association process, and an EAPOL process. After the non-AP STA 104 successfully connects to the AP 102, the non-AP STA 104 may enter a power saving mode (PS=1) when the non-AP STA 104 has no data to send. For example, the non-AP STA 104 may send a frame to the AP 102 to indicate that the non-AP STA 104 operates in the power saving mode. The control circuit 116 of the AP 102 is configured to ignore each specific request frame (e.g., an authentication request frame, an association request frame, or a reassociation request frame) received by the network interface circuit 118 (specifically, the RX circuit 122 of the network interface circuit 118) during the period when the connected non-AP STA 104 operates in the power saving mode. Since the non-AP STA 104 enters the power saving mode, the non-AP STA 104 will not send any of the authentication request frames, association request frames, and reassociation request frames to the AP 102. Therefore, the reception of the authentication request frames, association request frames, and/or reassociation request frames by the AP 102 during the period when the connected non-AP STA 104 operates in the power saving mode is regarded as a flood attack from the attacker.

例如，控制電路116直接丟棄在連接的非AP STA 104操作在省電模式下的時段內(即，在非AP STA 104離開該省電模式(PS=0)之前)接收到的任何認證/關聯/重新關聯請求幀，不處理接收到的認證/關聯/重新關聯請求幀的有效載荷。這樣可以節省AP資源。又例如，控制電路116不產生特定幀以響應在連接的非AP STA 104操作在省電模式(即，在非AP STA 104離開該省電模式(PS=0)之前)下的時段內接收的任何認證/關聯/重新關聯請求幀，其中，特定幀可以是認證回應幀、關聯回應幀、重新關聯回應幀和SA查詢請求幀之一。這樣可以避免不必要的認證回應幀/關聯回應幀/重新關聯回應幀/SA查詢請求幀佔用無線介質資源。此外，由於處於省電模式的非AP STA 104無法回復SA查詢回應幀，因此第二防止攻擊方案阻止AP 102發送SA查詢請求幀，可以防止AP 102意外終止AP 102和非AP STA 104之間的Wi-Fi連接。 For example, the control circuit 116 directly discards any authentication/association/reassociation request frame received during the period when the connected non-AP STA 104 operates in the power saving mode (i.e., before the non-AP STA 104 leaves the power saving mode (PS=0)), and does not process the payload of the received authentication/association/reassociation request frame. This can save AP resources. For another example, the control circuit 116 does not generate a specific frame in response to any authentication/association/reassociation request frame received during the period when the connected non-AP STA 104 operates in the power saving mode (i.e., before the non-AP STA 104 leaves the power saving mode (PS=0)), where the specific frame can be one of an authentication response frame, an association response frame, a reassociation response frame, and an SA query request frame. This can prevent unnecessary authentication response frames/association response frames/reassociation response frames/SA query request frames from occupying wireless medium resources. In addition, since the non-AP STA 104 in power saving mode cannot reply to the SA query response frame, the second attack prevention scheme prevents AP 102 from sending the SA query request frame, which can prevent AP 102 from accidentally terminating the Wi-Fi connection between AP 102 and non-AP STA 104.

如第3圖所示，第二防止攻擊方案保護AP 102在非AP STA 104操作在省電模式下的時段內免受來自攻擊者的認證/關聯/重新關聯泛洪攻擊。具體地，在連接的非AP STA操作在省電模式的情況下，第二防止攻擊方案具有處理認證/關聯/重新關聯泛洪攻擊的明確流程。 As shown in FIG. 3 , the second attack prevention scheme protects AP 102 from authentication/association/reassociation flood attacks from an attacker during the period when non-AP STA 104 operates in power saving mode. Specifically, the second attack prevention scheme has a clear process for handling authentication/association/reassociation flood attacks when the connected non-AP STA operates in power saving mode.

所屬領域的技術人員將容易地觀察到，在保留本發明的教導的同時，可以對裝置和方法進行許多修改和改變。因此，上述公開應被解釋為僅受所附請求項的界限和限制。 Those skilled in the art will readily observe that many modifications and variations may be made to the apparatus and methods while retaining the teachings of the present invention. Accordingly, the above disclosure should be interpreted as being limited only by the terms and limitations of the appended claims.

雖然已經根據目前認為是最實用和優選的實施例描述了本發明，但是應當理解，本發明不必限於所公開的實施例。相反，它旨在涵蓋包括在應符合所附請求項的精神和範圍內的各種修改和類似佈置，從而涵蓋所有這些修改和類似結構。 Although the present invention has been described in accordance with what are currently considered to be the most practical and preferred embodiments, it should be understood that the present invention is not necessarily limited to the disclosed embodiments. On the contrary, it is intended to cover various modifications and similar arrangements that are included within the spirit and scope of the appended claims, thereby covering all such modifications and similar structures.

102:AP 102:AP

104:非AP STA 104: Non-AP STA

Claims

一種防止攻擊方法，包括：接收來自攻擊者的認證請求幀；以及回應於接收到所述認證請求幀，回復認證回應幀，所述認證回應幀被發送到非接入點(AP)站點(STA)，其中所述認證回應幀包括超時間隔元素，所述超時間隔元素攜帶認證恢復時間；以及在所述認證恢復時間指定的超時時段內，向所述非AP STA發送安全關聯(SA)查詢請求幀；其中所述SA查詢請求幀包括事務識別碼，以及所述事務識別碼用以指示是否與所述非AP STA保持連接。 A method for preventing attacks, comprising: receiving an authentication request frame from an attacker; and in response to receiving the authentication request frame, replying an authentication response frame, wherein the authentication response frame is sent to a non-access point (AP) station (STA), wherein the authentication response frame includes a timeout element, and the timeout element carries an authentication recovery time; and within the timeout period specified by the authentication recovery time, sending a security association (SA) query request frame to the non-AP STA; wherein the SA query request frame includes a transaction identifier, and the transaction identifier is used to indicate whether to maintain a connection with the non-AP STA.

根據請求項1所述的方法，還包括：忽略在所述認證恢復時間指定的超時時段內接收的每個認證請求幀。 The method according to claim 1 further comprises: ignoring each authentication request frame received within a timeout period specified by the authentication recovery time.

根據請求項2所述的方法，其中，忽略在所述認證恢復時間指定的超時時段內接收的每個認證請求幀包括：丟棄所述每個認證請求幀而不處理所述每個認證請求幀的有效載荷。 The method according to claim 2, wherein ignoring each authentication request frame received within the timeout period specified by the authentication recovery time comprises: discarding each authentication request frame without processing the payload of each authentication request frame.

根據請求項2所述的方法，其中，忽略在所述認證恢復時間指定的超時時段內接收的每個認證請求幀包括：不回復認證回應幀來回應所述每個認證請求幀。 The method according to claim 2, wherein ignoring each authentication request frame received within the timeout period specified by the authentication recovery time comprises: not replying an authentication response frame to respond to each authentication request frame.

根據請求項1所述的方法，還包括：在所述認證恢復時間指定的超時時段內，回應於從所述非AP STA接收到具有所述事務識別碼的SA查詢回應幀，保持與所述非AP STA的連接。 The method according to claim 1 further comprises: maintaining the connection with the non-AP STA in response to receiving an SA query response frame having the transaction identification code from the non-AP STA within a timeout period specified by the authentication recovery time.

根據請求項1所述的方法，還包括：在所述認證恢復時間指定的超時時段內，回應於沒有從所述非AP STA接收到具有所述事務識別碼的SA查詢回應幀，向所述非AP STA發送解除認證幀。 The method according to claim 1 further comprises: within the timeout period specified by the authentication recovery time, in response to not receiving an SA query response frame with the transaction identification code from the non-AP STA, sending a deauthentication frame to the non-AP STA.

一種能夠防止攻擊的接入點(AP)，包括：網路介面電路，用於接收認證請求幀；以及控制電路，用於回應所述認證請求幀生成認證回應幀，並指示所述網路介面電路向非接入點(AP)站點(STA)發送所述認證回應幀，其中，所述認證回應幀包括超時間隔元素，所述超時間隔元素攜帶認證恢復時間；其中所述控制電路還用於在所述認證恢復時間指定的超時時段內生成安全關聯(SA)查詢請求幀並指示所述網路介面電路向所述非AP STA發送所述SA查詢請求幀；其中所述SA查詢請求幀包括事務識別碼，以及所述事務識別碼用以指示是否與所述非AP STA保持連接。 An access point (AP) capable of preventing attacks, comprising: a network interface circuit for receiving an authentication request frame; and a control circuit for generating an authentication response frame in response to the authentication request frame, and instructing the network interface circuit to send the authentication response frame to a non-access point (AP) station (STA), wherein the authentication response frame includes a timeout element, and the timeout element carries an authentication recovery time; wherein the control circuit is further used to generate a security association (SA) query request frame within a timeout period specified by the authentication recovery time and instruct the network interface circuit to send the SA query request frame to the non-AP STA; wherein the SA query request frame includes a transaction identifier, and the transaction identifier is used to indicate whether to maintain a connection with the non-AP STA.

根據請求項7所述能夠防止攻擊的AP，其中，所述控制電路進一步用於忽略在由所述認證恢復時間指定的超時時段內接收到的每個認證請求幀。 An AP capable of preventing attacks according to claim 7, wherein the control circuit is further configured to ignore each authentication request frame received within a timeout period specified by the authentication recovery time.

根據請求項8所述能夠防止攻擊的AP，其中，所述控制電路丟棄所述每個認證請求幀而不處理所述每個認證請求幀的有效載荷。 An AP capable of preventing attacks according to claim 8, wherein the control circuit discards each authentication request frame without processing the payload of each authentication request frame.

如請求項8所述能夠防止攻擊的AP，其中，所述控制電路不產生認證回應幀來響應所述每個認證請求幀。 An AP capable of preventing attacks as described in claim 8, wherein the control circuit does not generate an authentication response frame in response to each authentication request frame.

根據請求項7所述能夠防止攻擊的AP，其中，所述控制電路還用於當所述網路介面電路在所述認證恢復時間指定的超時時段內接收到來自所述非AP STA的具有所述事務識別碼的SA查詢回應幀時，保持與所述非AP STA的連接。 According to claim 7, the AP capable of preventing attacks, wherein the control circuit is also used to maintain the connection with the non-AP STA when the network interface circuit receives the SA query response frame with the transaction identification code from the non-AP STA within the timeout period specified by the authentication recovery time.

根據請求項7所述能夠防止攻擊的AP，其中，所述控制電路還用於當所述網路介面電路在所述認證恢復時間指定的超時時段內沒有接收到來自所述非AP STA的具有所述事務識別碼的SA查詢回應幀時，產生解除認證幀並指示所述網路介面電路向所述非AP STA發送所述解除認證幀。 According to the AP capable of preventing attacks as described in claim 7, the control circuit is also used to generate a deauthentication frame and instruct the network interface circuit to send the deauthentication frame to the non-AP STA when the network interface circuit does not receive the SA query response frame with the transaction identification code from the non-AP STA within the timeout period specified by the authentication recovery time.